ERP Security & Controls

Getting access rights

under control

Organizations implement ERP (Enterprise Resource

Planning) systems like SAP, Microsoft Dynamics AX
(former Axapta) to improve and automate business
processes. Expected benefits of implementation include
a reduction in the cost of operations, greater asset
efficiency, and enhanced quality of information. ERPs
can help you achieve this, however there is one area
that proves to be difficult to get it rightsecurity &
controls.
Given the size and complexity of most organizations,
effectively managing user access to ERPs is challenging
and can cause inefficiencies across the organization.
Also, when different legal units share one and the same
system platform, special focus should be given to logical
segregation of access to avoid the risk of cross-site
access.
The key questions any organization needs to answer are:
Giving you answers
Deloitte believes that effective internal control is a key
element in protecting the integrity of your operational
and financial information.
Despite the technology you are using, the best way to
protect your data is by controlling access to the systems
where that data is being processed and stored.

The basic elements of access controls for

ERP systems include:
Controls within processes of granting (and changing)
user access to the ERP system, and
Regular monitoring of users who already have access
to the system.
Designing a standard process that regulates how
users are granted access to the system is the first
defense against data corruption and data leakage.
Clearly defined steps and responsibilities between IT
and business staff help to assure that only authorized
personnel is given access to the system and that proper
authorizations are granted to each user.

execute all
activities in
a business
process without
approvals

create a fictious
vendor
post an invoice

process
operations
omitting control
steps

approve payment
for the invoice
sign-off and
reconcile bank
statement

Financial Statements Integrity

How do you assure that information presented on
your financial statements has not been corrupted?
How do you prevent the intentional financial
misstatements?
How do you assure that only limited people
have authority to approve and execute direct GL
accounts adjustments above 250.000 EUR?

Fradulent Behaviour
How do you prevent fraudulent behavior in your
organization?
How do you assure that your warehouse operators
(blue collar) are not performing stock adjustments?
How do you protect against the risk of paying for
fictions invoices?

As ERP systems can support majority of business

functions in organization, the concern of segregating
conflicting duties is being transferred from
organizational to ERP level. In IT dimension, the
organization has to monitor which users are assigned
conflicting combinations of access rights in ERP.
Such combinations of access rights represent conflicts
of interest and create risk of fraudulent behavior by
allowing one user to execute the majority of activities in
the process and to skip any control and approval steps.

display or
change sensitive
operational and
financial data

approve and post

accounts
adjustments
display vendor,
bank and GL
balances

Step 4 monitor & operate

Once the processes are established and all technology
enablers implemented, we provide you with security
dashboards to facilitate regular monitoring.

1
M

on
ito
r

&
ss e
se at
As valu
E

People

t&
en te
em ia
pl e d
Im Rem

P
De lan
sig &
n

Assess &
Evaluate

Plan & Design

Implement &
Remediate

Monitor &
Operate

Identify users
with excessive
access rights in
ERP;

Establish the
SOD program;

Develop &
Implement SOD
Matrix;

SOD risk
awareness;

Evaluate access
& security
controls for
ERP;

Map internal
controls to SOD
conflicts;

Remediate
identified SOD
conflicts;

Identify
overlapping
controls;

Implement
unified
mitigating
controls;

Regular SOD
checks &
user access
reviews;

We follow a 4-step process:

At Deloitte we follow the 4-step process that helps your
organization to better protect access to and within your
ERP system.

Process

We believe that effective internal controls are based on

3 pillars: people process technology.
Step 1 assess & evaluate
First, we work with you to assess the current status of
SOD conflicts as well as evaluate the maturity level of
access and security controls.
Step 2 plan & design
Depending on the results of the assessment, we can
assist you in establishing an SOD program and creating
control & risk awareness in the organization; re-design
internal controls to better support SOD program and
adjust IT processes to achieve synergy between IT
department and business personnel.
Step 3 implement & remediate
During the implementation phase, our team of experts
updates and documents procedures and controls
assuring that the user access management and SOD
processes are well established. We develop the SOD
matrix and assist you in clean-up activities (remediation).
For IT related processes we streamline the processes
for user access management; if required, we provide
assistance in automating them.

Run Security
Assessment
for ERP and/or
GRC systems.

Standardize
controls across
organizations;
Technology

Run Security
Assessment for
ERP and/or GRC
systems.

Design security
dashboard;
Streamline
user access
management
processes
with SOD
verification;

Implement
unified
processes for
user access
management;

Security
Dashboard;
Monitor
effectiveness
of the process;

Automate the
process;

Stay in control and get the balance

right between risk and controls to
effectively run your business.

Whenever the tools are needed, our team selects the

proper technology solution adjusted to your needs.

Contacts
For more information, please contact:
Erik Luysterborg
+32 2 800 23 36
eluysterborg@deloitte.com

Joanna Kazimierska
+32 2 800 23 51
jkazimierska@deloitte.com

For further information, visit our website at www.deloitte.com

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (DTTL), its network of
member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred
to as Deloitte Global) does not provide services to clients. Please see www.deloitte.com/about for a more detailed description of DTTL and
its member firms.
Deloitte provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple industries. With a globally
connected network of member firms in more than 150 countries, Deloitte brings world-class capabilities and high-quality service to clients,
delivering the insights they need to address their most complex business challenges. Deloitte has in the region of 200,000 professionals, all
committed to becoming the standard of excellence.

March 2014 Deloitte Bedrijfsrevisoren / Reviseurs dEntreprises

Designed and produced by the Creative Studio at Deloitte, Belgium.

2783

This publication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities
(collectively, the Deloitte Network) is, by means of this publication, rendering professional advice or services. Before making any decision or
taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No entity in the Deloitte
Network shall be responsible for any loss whatsoever sustained by any person who relies on this publication.